About | ACP | Get Stuff | Industry Watch | Learning Curve | Newsletter | Search | Test Drive
Home » Industry Watch

Re: Inside a Modern Mac Trojan

'If you didn't go looking for it, don't install it!'

Get It

Try It

THE INTERWEBS (Rixstep) — Brian Krebs is reporting on yet another social engineering trick to compromise OS X machines. The antivirus cottage industry players are out en masse again. Brian says you still don't need their products.

Trojan Droppers & Backdoors

As always the AV people came up with some fancy names for their discovery. F-Secure call the initial payload Trojan-Dropper:OSX/Revir.A, the trojan itself Backdoor:OSX/Imuler.A, and they're still working on a name for the third part.

For there are three parts to this monster, folks.

  1. The download - an executable disguised as a PDF file. The user unwittingly (and recklessly) double-clicks it and the file - actually an executable - gives birth to a real PDF file embedded within. This PDF file is placed in /tmp and opened. No suspicions raised as the user expects to see a PDF file.

    This is possible on OS X because the system still allows arbitrary assignment of icons to files. The technique was used years ago by Oompa Loompa.

  2. Mamma Trojan-Dropper was actually carrying twins. The second one's the aforementioned Backdoor:OSX/Imuler.A (great name) and it immediately downloads yet another file as /tmp/updtdata.

  3. Backdoor:OSX/Imuler.A now runs /tmp/updtdata which in turn opens a backdoor onto the local machine.

Much ado about nothing? Not quite. The idea a rogue process can open a backdoor without user authorisation is a bit of a stretch - unless of course the black hats have finally been able to exploit the (unofficial) Apple hack written about so many times at this site.

As for the rest: yes it's much ado about nothing.

As for running files one's not familiar with, there's always Tracker (and not much else unfortunately - and no, AppZapper isn't going to fix you).

Brian winds up by pointing out yet again:

  • 'If you didn't go looking for it, don't install it!' The Apple mantra goes a bit further and says you should never run untrusted or unknown software. That's even better advice.

  • No you do not need 'antivirus' on your Mac.

I still don't believe it's necessary for Mac users to install antivirus software.
 - Brian Krebs

Further Reading
ACP: Tracker: Why Chance It?
Krebs on Security: Inside a Modern Mac Trojan

About | ACP | Get Stuff | Industry Watch | Learning Curve | Newsletter | Search | Test Drive
Copyright © Rixstep. All rights reserved.